The Russian Office of the Interior Ministry and the Federal Security Service (FSB) announced today the arrest of eight suspects connected with the distribution and use of the Carberp malware.

The men are accused of stealing more than 60 million Rubles ($2 million USD) from the bank accounts of more than 90 fellow citizens. The group was organized by two brothers, one 29 years old, the other 26, while the others involved appear to have been money mules or “cashers”.

The older brother was released on a 3 million Ruble ($100,000 USD) bond, the younger brother was jailed related to earlier charges of real estate fraud and the other six remain under house arrest

Carberp has been associated with the Blackhole Exploit Kit in the past and was likely installed onto victim computers through drive-by installs exploiting unpatched Java vulnerabilities.

It appears the brothers would collect credentials for popular online banking sites in Russia and transfer funds from the victims to accounts they controlled. They would then send out the cashers to go to Moscow area ATMs to retrieve the cash.

To facilitate their activities the men rented office space in Moscow under the guise of a legitimate computer services company.

During the raid the police confiscated computers, bank cards, notary equipment and more than 7 million Rubles ($240,000 USD) in cash.

The men face up to 10 years in prison if convicted of the crimes. They are accused of illegal access to computer information, the creation, use and dissemination of harmful computer programs (malware) and theft.

I’m not sure if these guys have a sense of humor, but one of the variants analyzed by SophosLabs called home to its command and control servers to the domain fromamericawhichlov-DOT-com.

I suppose the most interesting bit is that it is illegal to create, use or disseminate malware in Russia. Considering the quantity of spam, fake anti-virus and other malicious content flooding victims daily that originates from Russian partnerkas you would be forgiven if you thought it was allowed.

The lesson learned is don’t target Russians if you want to commit bank fraud from Russia.

Post navigation

About the author

Chester Wisniewski has been involved in the information security space
since the late 1980s. He is currently a Principal Research Scientist in
the Office of the CTO. Chet divides his time between research, public
speaking, writing and attempting to communicate the complexities of
security to the press and public in a way they can understand.
Chester has spoken at RSA, InfoSec Europe, LISA, USENIX, Virus Bulletin
and many Security BSides events around the world in addition to
regularly consulting with NPR, CNN, CBC, The New York Times and other
media outlets.
You can follow Chester on Twitter as @chetwisniewski, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.